Account hacked and suspended

A few minutes ago, one of my accounts was suspended and it was showing an arab hack message. After checking, the "suspended web template" was changed. I revert to the default and unsuspend the account and this account it's working correctly now. I also changed the root password and see at the firewall that this IP was blocked:

Staff Member

It's difficult to pinpoint the specific vulnerability or exploit used by an attacker to hack your websites. One could speculate on common methods (e.g. symlink attack), but it really requires a qualified system administrator to investigate the logs on your server and determine the source of the attack. There is a thread here where a similar question is asked:

If the cPanel account is owned by a reseller you may be in OK shape, but if the account is owned by root and someone managed to change that template, then your server should be considered compromised on a root level. You should migrate your sites to a new server with a clean OS installation and change all passwords.

The account suspensions and template edit should be logged in the cPanel access log, unless the hacker erased the entries (which is possible with root access, but rarely is done).

Best advice I can give you for now, is to watch the cPanel access log (tail -f) in a terminal, and change the template yourself. You'll see the request structure like POST /whatever/?some_action=template_change

The above is completely made up, but the point is, you'll have an entry with something defining in it. Adding e-mail acct's uses "addpop" and so on. Once you find that, then grep for that string in the log to see when the template was changed. With any luck you'll find the IP that was in there.

If you do confirm unauthorized root access, again, the advice to migrate to a clean system is really the best bet.